Cisco ASA

Overview

Cisco ASA is one of the few event sources that can handle multiple types of log on a single port, as it hosts Firewall and VPN logs.

Before You Begin

In order for the InsightOps parser to work, make sure logging timestamp is turned on and the logging host has been configured for the InsightOps collector.

For the complete use of detection capabilities in InsightOps, set the logging level on the device to Severity 6 (Informational Messages). To learn how, see this page.

Forward Logs from ASDM

To forward logs from Cisco's Adaptive Security Device Manager, complete the following steps:

  1. In the ADSM, select Configuration.
  2. Select Device Management, and choose Logging from the dropdown menu options.
  3. Select Syslog servers. Click add and in Syslog Servers, enter the information for you InsightOps collector.
  4. Ensure sure the your Collector is reachable from Cisco ASA.

Command Line Logging

While you can configure Cisco ASA logging via their user interface, the command line interface configuration can be complicated when attempting to turn on logging for InsightOps.

If you prefer to use this option, see the below logs as an example of what InsightOps is looking to parse. An example log line in standard Syslog format is included for reference.

ASA-4-106023 - Deny firewall connection

<13>Feb 26 11:59:40 10.62.5.20 Feb 26 11:59:40 usiadasa101 %ASA-4-106023: Deny udp src LSI-TEST-TRANSIT:10.63.1.85/43670 dst DC-TRANSIT:10.62.65.20/111 by access-group \"LSI-TEST-TRANSIT_ACCESS_IN\" [0x257f55e5, 0xe5b85413]

ASA-5-106100 - Allow firewall connection

<189>Feb 27 14:11:58 10.1.2.3: %ASA-5-106100: access-list inside_access_in permitted tcp inside/10.3.6.89(60759) -> outside/98.139.225.13(80) hit-cnt 1 first hit [0x4e0b70da, 0x386bad81]

ASA-6-113005 - VPN Authentcation failed with bad password

<166>Aug 07 2014 10:00:03 FW2-RAZOR : %ASA-6-113005: AAA user authentication Rejected : reason = Invalid password : server = 10.10.10.100 : user = foobar : user IP = 32.141.157.135

ASA-6-302013 - TCP connection created

<189>Mar 25 19:00:02 10.15.128.6: %ASA-4-302013: Built outbound TCP connection 139684278 for Outside:2.40.106.199/3598 (2.40.105.199/3598) to Inside:10.6.33.107/25252 (64.201.138.105/25252)

ASA-6-302014 - TCP connection completed

<166>Sep 23 2015 16:12:37 10.128.91.80 : %ASA-6-302014: Teardown TCP connection 115466298 for Outside:108.171.131.134/8080 to Inside:10.128.64.129/31997 duration 0:00:02 bytes 8040 TCP FINs

ASA-6-302015 - UDP connection created

<166>Mar 25 19:00:02 10.15.128.6 %ASA-6-302015: Built outbound UDP connection 145221138078637354 for inside:10.35.218.116/3598 (140.198.32.130/18406) to outside:134.174.110.7/8760 (134.174.110.7/8760)

ASA-6-302016 - UDP connection completed

<166>Dec 14 2013 16:59:36 10.6.1.1 : %ASA-6-302016: Teardown UDP connection 823803842 for Outside:10.255.253.253/49933 to Inside:10.1.25.100/53 duration 0:00:00 bytes 121 (reyga)

ASA-5-304001 - URL accessed

<13>Mar 5 14:23:11 10.5.255.5 %ASA-5-304001: 10.5.111.32 Accessed URL 207.200.74.32:http://example.com

ASA-5-304002 - URL access denied

<189>Feb 27 14:42:23 10.4.5.6: %ASA-5-304002: Access denied URL http://s.tbdress.com/images/favicon.ico SRC 10.69.6.39 DEST 72.21.91.19 on interface inside

ASA-3-710003 - Access denied by ACL

ASA-3-713167 - VPN Access denied

<187>Jul 21 2014 07:21:22: %ASA-3-713167: Group = AGROUP, Username = aperson, IP = 173.255.216.111, Remote peer has failed user authentication - check configured username and password

ASA-6-713228 - VPN Assigned IP

<134>Aug 19 2013 13:09:20: %ASA-6-713228: Group = rapid7vpnusers, Username = aguerlain, IP = 75.99.48.194, Assigned private IP address 140.251.84.153 to remote user

ASA-6-716038 - WebVPN Auth Success

ASA-6-716039 - WebVPN Authentication failed

<166>Aug 07 2014 10:00:03 FW2-RAZOR : %ASA-6-716039: Group <DfltGrpPolicy> User <foobar> IP <75.142.186.165> Authentication: rejected, Session Type: WebVPN.

ASA-4-722029 - VPN Session Termination

<164>Feb 11 2013 06:00:52 10.6.1.1 : %ASA-4-722029: Group <Operations> User <aguerlain> IP <216.55.6.70> SVC Session Termination: Conns: 1, DPD Conns: 0, Comp resets: 0, Dcmp resets: 0.

ASA-4-722051 - VPN Assign IP

<164>Jan 13 2014 08:47:27: %ASA-4-722051: Group <SGC-VPN> User <aguerlain> IP <67.222.120.38> IPv4 Address <10.254.1.108> IPv6 address <::> assigned to session

FWSM-4-305011

Learn More

Click here to learn about what each of these codes mean.

To read further on how Cisco logging is configured, click here.

For additional examples of syslog, see additional documentation.

How to Configure This Event Source in InsightOps

  1. From your dashboard, select Data Collection on the left hand menu
  2. At the top right of the page, select Add Data
  3. Select the Firewall icon from the Security Data section
  4. Select your collector, and from the list of options, choose Cisco ASA Firewall/VPN
  5. Choose a timezone, or optionally choose a US timezone
  6. Optionally choose to send unfiltered logs
  7. Configure any advanced event source settings.
  8. Select either Listen for Syslog or Log Aggregator; both require that you specify a port and a protocol. Optionally choose to Encrypt the event source if choosing TCP
  9. If you are choosing to encrypt, select the button "Download Certificate" which will download Rapid7's certificate. This file will be called Rapid7CA.pem and will allow InsightOps and Cisco ASA to "trust" each other during log forwarding.

Advanced Event Source Settings

Inactivity Timeout Threshold: specify in minutes how long the event source should be inactive before it enters an error state. Fallback Domain(s): If you have event sources running in a multi-domain environment, Rapid7 recommends having a fallback domain in order to resolve any issues with user accounts.

For instance, if your company is the US and in Canada, but both locations have a user named "John Smith" and your main domain is company.com, your fallback domain could be company.ca, which would allow InsightOps to more accurately attribute data to the correct user.

Troubleshooting

Parsing

Ensure timestamps are turned on, otherwise the Rapid7 parser will not work.

Logging Configuration

Ensure the following:

  • the 'logging timestamp' is turned on
  • the 'logging host' has been configured for the InsightOps collector.

Make sure to set the logging level on the device to Severity 6 (Informational Messages). Use this guide for instructions.

Note: Cisco devices running versions < 9.2.1 have a bug (CSCui82751) where ASA-6-113005 events are not logged with the source IP address, preventing them from being used for detection within InsightOps.